Sandboxing thumbnailers/file preview code


I've discussed with a few people recently on IRC about providing file previews in my sandbox-traversing File Choosers or in Allan's new Content Selection Dialogs, and also about running untrusted thumbnailers for use in Nautilus. I'm curious whether the file preview back-end could reuse thumbnailers and if custom file preview functions could be entirely replaced with standalone thumbnailer executables.

In an OS with sandboxed apps, one would really want to also sandbox thumbnailers: they run with the desktop environment's privileges and could potentially steal every file they're given (or more). I've had a quick glimpse at the GNOME Thumbnailer and it seems very easy to sandbox it. Instead of directly launching the untrusted thumbnailer, you'd give its path as a parameter to a generic Sandboxed Worker.

The worker could be a well-known D-Bus name or user systemd service that sets up a Docker/LXC container, makes a read-only bind of the input file's path and a write-only bind to the output file's path. It could have a switch just like systemd services to remove networking, and possibly start with very a limited system interface (using seccomp2, with options to allow extra syscalls depending on the worker's task).

There probably are other places where such workers could be implemented and there could be a high-level API for them. It's also possible to implement sandboxed workers that process a function inside a piece of code rather than a different executable -- using tools like Capsicum and Wedge. I'm a bit less enthusiastic about these because if they get broken, it's harder to provide an alternative. A LXC container could be hardened more easily, in my opinion. In any case the API I have in mind should abstract away the method of sandboxing and just expose a single entry point and a signal to notify the worker is done. The idea behind this is to allow changing the sandboxing back-end without needing to update clients - in case of a security breach in the currently used back-end.

Steve Dodier-Lazaro
PhD student in Information Security
University College London
Dept. of Computer Science
Malet Place Engineering, 6.07
Gower Street, London WC1E 6BT
OpenPGP : 1B6B1670

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]